Join Us!

Notifications
Clear all

Zip Files  

  RSS
mark777
(@mark777)
Active Member

Should possibly be in the Software forum, if so i apologise.

I am doing a CP case where i am recovering thousands of CP images including some that the suspect has taken himself (apparently) using a digital camera.

I have recovered one zip file that when activating requires a password to open. Once opened (I know the password) there are 110 jpg files in it all of which have names that seem to relate to the first name of the young daughter of a family friend of the suspects. (You can see what I am thinking here) I am a bit concerned as to why, with so many illegal in clear view, these are protected. Each of the 110 jpg files are themselves password protected but not with the same one as the zip file.

PRTK does nothing at all with the zip file even though the dictionary used contains the known password for it.

I have conducted the following experiment

1. Create zip file and place 1 file in it passworded with FRED
2 Create zip file and put 1 file in it passworded with TEST
3. Create zip file and put two files in it one passworded with FRED and the other with TEST

Then ran all files through PRTK

1 above was cracked in seconds.
2 above was cracked in seconds
3 above is still running and has been for ever it seems with no results.

It appears PRTK is unable to deal with zip files with more than one password involved.

I have also tried to export using EnCase and FTK the individual jpg files to attack then individually but am unable to do so without the password.

I would really appreciate any advice that any one could give me to try and resolve this problem and gin access to the images.

Whislt I have more than enough evidence and images to ensure a good result I am concerned that I may be missing the opportunity to identify a possible victim if I am unable to access the zip file images

Quote
Posted : 03/05/2007 5:38 pm
mark777
(@mark777)
Active Member

Aologies for the spelling mistake third line up from the bottom of the above post.

Gin is what I need but gain is what I intended to write

ReplyQuote
Posted : 03/05/2007 5:41 pm
Alan
 Alan
(@alan)
Member

Hi Mark,

have you contacted AccessData regarding the problem, they should be able to provide some guidence.

A

ReplyQuote
Posted : 03/05/2007 5:55 pm
mark777
(@mark777)
Active Member

Alan

Yeah several postings and messages to Jessica. Have spent the last two days, installing, unistalling, activating and deactivating everything in sight but as yet nothing that works. Have sent her another message re the latest episodes but I assume that in the USA she will still be in bed.

Time constraints mean I need to get on with the rest of the computers he had ( 1 Mac - 450 DVD 3 160 Gb HDD and 28 Camera cards and he is on bail till next week!!!!) so I thought I would ask on here to see if anyone had any ideas. Hopefully if I can get the individual jpgs out I can attack them individually.

Other concern was that the zip password and the file password are somehow interlinked and I cannot do them individually even if i can get them out.

Plan is, if all else fails to slap the case on the desk in interview and ask him what the password is but I would rather get it myself than look like I don't know what I'm doing (do I know what I'm doing I hear you ask) to be honest.

Thanks for replying

cry

ReplyQuote
Posted : 03/05/2007 6:03 pm
Alan
 Alan
(@alan)
Member

Mark,

What ZIP utility did he use? I have seen files Zipped with secure zip from PKware which uses very strong encryption routines. I don’t think the normal zip utilities would cause such as problem as you described!

Another possibility is that the zip file could be corrupt?

Alan

ReplyQuote
Posted : 03/05/2007 6:13 pm
mark777
(@mark777)
Active Member

Alan

I have found WINRar but not winzip. Problem is that the drive he has stored this folder/file on appears to be a storage folder for all his different computers - linux - apple and windows. The .zip file i am talking about is in a folder called macbackup so will need to look there as well.

The fella is a geek so that says it all about his set up really.

Have also found several .vmc and .vhd files re virtual on the drives as well.

Havent even tried anything with them yet.

I wouldn't have thought the .zip file was corrupted as when you click it it opens and then when you put the password in it displays the files inside to you - just doesnt let me get at them.

Never mind, will keep going. Its all a good learning curve.

Mark wink

ReplyQuote
Posted : 03/05/2007 9:43 pm
Marat
(@marat)
Junior Member

mark777,

Problem is that the drive he has stored this folder/file on appears to be a storage folder for all his different computers - linux - apple and windows.

you can try to determine *.zip file metadata(like version of archiving tool,OS where *.zip is created etc.)

ReplyQuote
Posted : 03/05/2007 10:51 pm
chris2792
(@chris2792)
Junior Member

It appears PRTK is unable to deal with zip files with more than one password involved

Perhaps that's an issue of Winzip. Winzip let you enter a password once, then every operation will be done using that password until the archive is closed.

If you have a ZIP-Archive with 2 different passwords you'll have to extract one file, close the archive, reopen it and extract the other file.

ReplyQuote
Posted : 04/05/2007 5:05 pm
mitch
(@mitch)
Active Member

Mark

If the suspect has taken any photos of CP himself, have you sieze all digital cameras, because if you have the memory cards, you could tie up the camera with the images via EXIF info. (dont mean to be rude but hey ive know it to be missed)

also pm you mark

Simon

ReplyQuote
Posted : 04/05/2007 7:36 pm
_nik_
(@_nik_)
Member

I am a bit concerned as to why, with so many illegal in clear view, these are protected.

Yes - that's a valid concern. I'm glad you are persisting!

Each of the 110 jpg files are themselves password protected but not with the same one as the zip file.

When you look at the zip file are the file names there in plain text?
Are there other files than the 110 pics in there?

A possibility would be to edit the zip file so that you only have the files that you can not access in there. Then run PRTK on it.

ReplyQuote
Posted : 04/05/2007 8:54 pm
gmarshall139
(@gmarshall139)
Active Member

Mark,

Keep up the good work. I will be glad to help you in any way I can. I'm glad to see you going the extra mile on a case such as this. I've had good results with Visual Zip Password Recovery Processor. It allows you to import your FTK generated word lists.

www.zipcure.com

It may be worth a try, I used it to crack 4 simple passwords in seconds.

ReplyQuote
Posted : 05/05/2007 12:25 am
mark777
(@mark777)
Active Member

Chris.

It is a strange way of opening this file. When you try to open the zip file (double click etc) you are immediately presented with a password box. It is only when you put the password in that the normal zip window opens and the files contained within the zip file are presented. When you try to open any of the files displayed in the zip window you are asked for another password, in fact any operation on those files requires the password to be entered for anything to happen. All the files in the zip archive are passworded.

Mitch

Thanks mate, already sorted.Have got the camera and sorted that with the illegal ones he has taken with it that I have recovered. That is one of my concerns. He has taken (obviously until convicted that is allegedly taken) Cat 1 with the camera and they are unprotected so what are the ones he has protected liable to be.

NIK

110 files in the archive, all show .jpg extension and all have the little asterix beside them to show encrypted just as you would expect really. they are the only ones in the archive. File name is in plain text.

Greg

Thanks for the kind comments and advice about the software. Will def give it a try next week when I am back at work.

Looks like it will be a case of charging on the thousands we have but at least I will get thechance to ask him the password. Once i have it I suppose it will be easier to figure out for future reference.

Many thanks to everyone for the advice. Will keep trying when I can between jobs etc and post any results if and when I get them.

ReplyQuote
Posted : 05/05/2007 5:13 am
annodomini1969
(@annodomini1969)
New Member

I am a bit concerned as to why, with so many illegal in clear view, these are protected.

Yes - that's a valid concern. I'm glad you are persisting!

———–

Should I even take a stab at this one or is this not the place for psychobabble?

ReplyQuote
Posted : 05/05/2007 10:32 pm
Andy
 Andy
(@andy)
Active Member

Mark, we have DNA running on a network. If you want I can give it a try for you?

Andy

ReplyQuote
Posted : 06/05/2007 2:07 pm
mark777
(@mark777)
Active Member

Cheers Andy. I have DNA but haven't tried it yet. i think the problem is the two passwords associated with the archive. just seems to confuse PRTK.

Am away on a job next week so a bit of travelling to do so will give you a ring at some stage Tuesday or wednesday and have a crack about it

ReplyQuote
Posted : 07/05/2007 2:29 am
Share: